With its monthly security updates, Microsoft brings a permanent fix for an Internet Explorer (IE) zero-day impacting users.
In addition to the IE bug, the Patch Tuesday release also addresses 22 other vulnerabilities across the company's Windows, IE and Silverlight products.
Five patches, two rated “critical” and three “important,” will rectify the security issues, a Microsoft security bulletin published on Tuesday said.
Top of mind, should be bulletin MS14-012, which plugs a total of 18 bugs in IE that could allow remote code execution (RCE) if a user views a malicious webpage using the web browser. Included in the patched RCE bugs, was the IE zero-day used in limited attacks against users last month.
The IE patch replaces a temporary fix issued by Microsoft in February, shortly after FireEye researchers revealed that a U.S. veterans website was compromised to serve the zero-day exploit.
Microsoft's other critical patch for March, MS14-013, resolves a privately reported vulnerability in Windows, which could also allow RCE if a user opens a malicious image file.
The remaining three bulletins, ranked “important,” address elevation of privilege bugs in Windows kernel-mode driver and vulnerabilities in Windows and Silverlight that could allow an attacker to bypass security features.
On Tuesday, Tyler Reguly, manager of security research at Tripwire, shared his concerns with reoccurring issues impacting Silverlight – an application development suite released in 2007.
In prepared comments emailed to SCMagazine.com, Reguly said that, as recently as last week, he mentioned that it was “time for Microsoft to give up on Silverlight…[which] sees a lot of patches given its limited adoption.”
“It appears that the Microsoft EOL [end of life] date for Silverlight 5 reaches into 2021,” Reguly wrote. “That's a long time for this technology to continue to receive updates. Since Microsoft is committed to supporting it, it'd be nice to see websites still using it commit to dropping it, then we could all uninstall Silverlight and effectively increase the security of end user systems,” he said.
On Tuesday, Dustin Childs, group manager of Microsoft Trustworthy Computing, wrote in a company blog post that the security bypass issue in Silverlight, addressed with bulletin MS14-014, could “impact [user] security in ways that aren't always obvious.”
“Specifically, the update removes an avenue attackers could use to bypass [address space layout randomization] ASLR protections,” Childs wrote. “Fixes like this one increase the cost of exploitation to an attacker, who must now find a different way to make their code execution exploit reliable. Picasso said, ‘The hidden harmony is better than the obvious' - Shutting down an ASLR bypass could be considered one of the most harmonious things to do to help increase customer security,” he said.